Top 5 Myths About Implementing ServiceNow GRC

Governance, Risk and Compliance (GRC) is an important area of focus for several organizations. Companies want a robust GRC program in place to help manage compliance with regulations and internal policies; enhance information security practices and streamline audits and remediation activities.

Organizations that are considering ServiceNow® as a potential tool for scaling and evolving their GRC capabilities generally have a few concerns about the tool. This article aims to dispel the Top 5 Myths our clients have expressed.

Myth #1: ServiceNow Is An IT Service Management Tool; Not A GRC Tool

For most GRC teams, the biggest drains on their time are evidence collection and remediation tracking activities. Another major source of frustration is creating reports and dashboards from multiple data sources. ServiceNow GRC leverages the workflow and task management capabilities of the core platform to enable the collection of real time data and to track and manage cross functional activities.

Embed your IT controls and compliance requirements into your organization’s Service Management

Leverage the Configuration Management Database (CMDB) to automate control testing

Take advantage of a test once, comply to many approach. Since control test instances store the results of the tests, you can reuse them across multiple regulations and provide consistent results to auditors and regulators

Leverage the Service Management processes to streamline remediation activities by generating tasks for corrective actions and implement SLAs, notification and alerts.

Myth #2: I Need A Robust CMDB Before I Can Implement ServiceNow GRC

It’s true that a well-built CMDB is the center of information on services, systems, applications delivered to the business. However, a lot of organizations tend to overreach in their quest for a robust CMDB.

You do not need a robust CMDB before implementing GRC. What you need is an ability to track data that supports control testing.

In the foundational stages of implementing ServiceNow GRC, you need CMDB to contain certain information; basics like server names, locations, ownership, applications installed, relationship to other assets in the infrastructure that are relevant to the scope of the applications or platforms for ITGCs. For example, if SOX is important to you, and your organization has 5-8 SOX applications, your CMDB needs to have reliable data related only to those applications. It is not required for the CMDB to be robust for the entire enterprise before implementing ServiceNow GRC.

As the GRC program becomes more mature and moves towards automation and brings in additional authority documents, GRC teams can work with the Configuration Management team to drive requirements for the CMDB and the two capabilities can grow in tandem.